Friday, 26 February 2010

Sharing the knowledge

In the last two weeks, I was requested by some parties to share the knowledge on digital forensic at two different activities. The first is to be keynote speaker on the digital forensic preview seminar conducted by EC-Council Representative for Indonesia (i.e. PT. Datamation) along with PT. Andalan Nusantara Teknologi. This seminar carried out in Jakarta was attended by about sixty people which are Chief Information Officer (CIO) or IT people from different organisations in Indonesia such as Bank Central Asia (BCA), Pertamina, Bina Nusantara University, Indonesian Foreign Affairs Department and so on. The second is to be guest lecturer at University of Indonesia. This is a program of the British Council (i.e. UK Alumni Road Show) performed jointly with Criminology Department of University of Indonesia. This class moderatored by Prof. Adrianus Meliala was attended by about thirty students which actively followed the session of lecturing.

In both moments, I talked about the current development of digital forensic. Following are some core materials delivered:

Investigation flow chart
On this chart, it is explained that computer crime or computer-related crime is investigated in order to solve the case. This investigation is done by applying digital forensic properly. In this case, digital forensic plays some key roles, namely:
- To support and perform scientific crime investigation.
- To carry out forensic analysis on electronic evidence in order to find out digital evidence.
- To be able to describe the link between the perpetrators and their crime.
- To deliver expert testimony at court.

Digital forensic principles
These principles are adopted from ACPO (i.e. Association of Chief Police Officers in the UK) guidelines. It is widely used by digital forensic practitioners in the world. In my point of view, a digital forensic analyst should understand these principles and has to apply it when performing a forensic investigation. Below are the principles quoted from the guidelines.
1. No action taken by law enforcement agencies should change data held on a computer or storage media.
2. The person accessing the data must be competent to do so and able to explain the relevance and implications of the actions taken.
3. An audit trail or record of all processes applied should be created and preserved.
4. The person in charge has overall responsibility to ensure that these principles are adhered to.

First actions at the scene
When a computer is off, following are some actions which should be taken:
1. Make sure it is switched off and never turn it on.
2. Remove the battery (for notebooks / mobile device) or unplug the end of the power cable attached at CPU first, and then from wall socket (for PCs).
3. For mobile device: if any, never remove SIM cards from the device.
4. Label, document and record it; and then seize it for further analysis.

When a computer is on, the actions would be:
1. Record what is running on the screen.
2. Collect data (e.g. running processes, opened ports, decrypted volumes, etc.). Ensure that changes made to the system are understood.
3. When possible, perform live forensic imaging.
4. Never use the shut down procedure of the OS.
5. Unplug the cable power from CPU first; and then from the wall socket (for PCs) or remove the battery (for notebooks / mobile).
6. Label, document and record it; and then seize it for further analysis.

Anti forensic
It is defined as techniques implemented by perpetrator in order to against digital forensic.The objectives of anti-forensic are:
1. To conceal the case-related information.
2. To obscure the criminal’s involvement.
3. To obstruct the action of digital forensic analyst.

The techniques of anti forensic which are frequently implemented are:
1. Cryptography. It is a method to conceal essential information by deploying cryptography algorithm.
2. Steganography. It is a method to conceal essential information by embedding it into a carrier, so that it is difficult to detect.
3. Wiping. It is a method for securely deletion by overwriting sectors of deleted target.

That's several materials I delivered on both moments. It is a pride for me to be speaker or lecturer in sharing my knowledge and experience on digital forensic to other people. I always look forward to receiving the invitation like these programmes. Hopefully this could be useful for anybody or any organisations that would like to apply digital forensic on the investigation of computer crime or computer-related crime.

2 comments:

Muhammad Nuh Al-Azhar,You are SPOT ON! Thanks for sharing such a nice article,i had gone through the article some of the points mentioned are very informative, i had been CHFI, for more information on computer forensics check this link http://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspx

About Me

I have been working for Indonesian Police Forensic Laboratory Centre (Puslabfor Bareskrim Polri) since 1997. My current job is the Chief of Computer Forensic Sub-Department. I have core duties to handle digital forensic investigation and analysis on electronic and digital evidence. I am the pioneer of developing computer forensic capabilities at Puslabfor Bareskrim Polri which was started in around 2000. Last year, in 2012 I and my team successfully investigated and analyzed 488 items of evidence which came from 81 cases of computer crime and computer-related crime.
In 2012 I wrote a book with the title "Digital Forensic: Practical Guidelines for Forensic Investigation". Its contents is mostly from knowledge and science I got from joining the MSc in Forensic Informatics at the University of Strathclyde, in the UK in 2008/2009 through the Chevening Scholarships. In 2010, the British Council in Indonesia gave me a prestigious award as one of "The Super Six UK Alumni".